CMMC Level 2 has two assessment paths, and choosing the wrong one wastes time and money. Self-assessment and C3PAO certification both evaluate the same 110 NIST 800-171 security requirements. They differ in who conducts the evaluation, what the output means contractually, and which contracts accept which path.
The distinction isn’t about rigor preference. It’s about what the DoD requires for your specific contracts.
The Two Level 2 Assessment Types
Level 2 Self-Assessment
The organization evaluates itself against all 110 NIST 800-171 Rev 2 security requirements and 320 assessment objectives. A senior company official reviews the results, calculates the SPRS score, and affirms compliance. Results are submitted to SPRS.
Self-assessment is permitted for contracts involving CUI that the DoD designates as non-prioritized acquisitions. These are contracts where the CUI involved is assessed as lower risk within the DoD’s risk framework.
Self-assessment must be repeated every three years, with an annual affirmation submitted by a senior official confirming the organization still meets the requirements.
Level 2 C3PAO Certification Assessment
An Authorized C3PAO listed on The Cyber AB Marketplace conducts an independent assessment. The assessment team examines documentation, interviews personnel, and tests technical controls against all 110 security requirements and 320 assessment objectives. Results are entered into CMMC eMASS, with current status reflected in SPRS.
C3PAO certification is required for contracts involving CUI that the DoD designates as prioritized acquisitions. These are contracts where the CUI sensitivity, program criticality, or national security implications warrant independent verification.
C3PAO certification is valid for three years, with annual affirmation required. POA&M items must be closed within 180 days of the Conditional CMMC Status date.
How to Know Which One You Need
The solicitation tells you. DFARS clause 252.204-7021 specifies the CMMC level and assessment type required for a given contract. The contracting officer and program manager determine whether a contract requires self-assessment or C3PAO certification based on the sensitivity of the CUI involved and the program’s risk profile.
If the solicitation specifies Level 2 (Self): Self-assessment is sufficient. You evaluate yourself, submit to SPRS, and affirm annually.
If the solicitation specifies Level 2 (C3PAO): You must hold a Conditional or Final Level 2 (C3PAO) certification at the time of contract award. Self-assessment does not satisfy this requirement.
An unclear requirement is not a safe one. Preparing only for self-assessment and discovering the solicitation requires C3PAO certification means you can’t bid. The solicitation and contract clause control which assessment type is required. As a strategy choice, some contractors build to C3PAO-ready standards when they expect future contracts to require independent certification. Preparing for a C3PAO assessment and discovering you only needed self-assessment is an acceptable outcome — the reverse is not.
If you hold multiple contracts: Each specifies its own CMMC requirement. If any require C3PAO, you need the certification — and one C3PAO certification can cover multiple contracts if the assessment scope encompasses the relevant systems.
Side-by-Side Comparison
| Dimension | Self-Assessment | C3PAO Certification |
|---|---|---|
| Who conducts it | Your organization | An Authorized C3PAO from The Cyber AB Marketplace |
| Requirements evaluated | 110 NIST 800-171 Rev 2 security requirements, 320 objectives | Same 110 requirements, 320 objectives |
| Scoring | 110-point weighted model (1/3/5 per requirement) | Same 110-point weighted model |
| Results submitted to | SPRS | CMMC eMASS (status reflected in SPRS) |
| Applies to | Non-prioritized CUI acquisitions | Prioritized CUI acquisitions |
| POA&M allowed | Yes, permissible requirements only | Yes, permissible requirements only. 180-day close from Conditional Status date. |
| Certification status | Final Level 2 (Self) | Conditional or Final Level 2 (C3PAO) |
| Validity | 3 years, annual affirmation | 3 years, annual affirmation |
| Assessment cost | Internal effort only (or consultant-assisted) | $31,000 to $150,000+ depending on scope |
| Contract eligibility | Satisfies Level 2 (Self) requirements only | Satisfies both Level 2 (Self) and Level 2 (C3PAO) requirements |
Not sure which path your contracts require? Talk to our team — this is the kind of question that benefits from a conversation about your specific contracts.
The Rigor Gap
Self-assessment and C3PAO certification evaluate the same requirements, but the rigor is different in practice.
Self-assessment risks. When you grade your own paper, optimism creeps in. A control that’s “mostly implemented” gets scored as MET. Evidence that’s “close enough” gets accepted. Self-assessments can create false confidence if control scoring is optimistic or evidence quality is not tested at independent-assessment depth. The gap between what the organization believes and what an independent assessor would find is the rigor gap.
In readiness reviews we’ve conducted, gaps of 25 points or more are routine, and deltas north of 40 aren’t unusual. Self-assessment doesn’t just allow optimism — it structurally incentivizes it.
C3PAO assessment rigor. An independent assessor has no incentive to be generous. They examine evidence against specific assessment objectives. They interview staff to verify that documented procedures are actually followed. They test technical controls to confirm configurations match what the SSP describes. Findings that a contractor might overlook or rationalize during self-assessment become scored NOT MET findings during C3PAO review.
The practical implication. If you conduct a self-assessment and report a high SPRS score, but your compliance posture wouldn’t survive independent review, you face two risks. First, DIBCAC can audit your self-assessment under DFARS 7020 at any time. If their findings contradict your reported score, that’s a potential False Claims Act issue. Second, if your contracts later require C3PAO certification, you’ll discover the real gaps only when preparation time is short and stakes are high.
The Cost Difference
Self-assessment is cheaper in direct cost. The evaluation is conducted internally or with consultant support, typically costing $10,000 to $30,000 for a thorough, consultant-assisted self-assessment. Some organizations do it entirely with internal resources.
C3PAO certification adds assessment fees. For a small to mid-size contractor, assessment fees typically range from $31,000 to $100,000 depending on the size of the assessment scope, number of in-scope systems, and C3PAO pricing. Larger or more complex environments can exceed $150,000. These fees are separate from the cost of preparing for the assessment (remediation, documentation, evidence collection).
The cost comparison, however, should factor in risk. A self-assessment that produces a score your organization believes but that wouldn’t hold up under independent review is not actually cheaper. The cost of discovering real gaps during a DIBCAC audit, or scrambling to prepare for a C3PAO assessment when a contract requires one, exceeds the cost of doing the C3PAO assessment proactively.
Strategic Considerations
C3PAO certification covers both paths — and the trend favors it. If you hold a Level 2 (C3PAO) certification, you satisfy the requirement for both Level 2 (C3PAO) and Level 2 (Self) contracts. The reverse is not true. As CMMC enforcement phases advance, the proportion of contracts requiring C3PAO certification will grow. Building your compliance program to C3PAO-ready standards from the beginning avoids the cost and disruption of upgrading later. Among contractors we’ve supported, those who built to C3PAO-ready standards from day one spent meaningfully less total than those who prepared for self-assessment first and upgraded later. The rework cost of upgrading evidence and documentation quality exceeds the incremental effort of doing it right the first time.
Prime contractors are increasingly asking subcontractors for evidence beyond a self-reported SPRS score, even for contracts that technically allow self-assessment. Some primes require C3PAO certification from their supply chain regardless of what the solicitation mandates. Having the certification gives you competitive advantage in teaming arrangements and subcontract awards.
Most contractors we work with treat self-assessment as a diagnostic step, not a destination. Even if your target is C3PAO certification, conducting a rigorous self-assessment first is smart preparation. It identifies gaps, calibrates your readiness, and reveals the delta between your current state and what an independent assessor will expect.
Common Questions
Can I start with self-assessment and upgrade to C3PAO later?
Yes. Many contractors conduct a self-assessment first to establish a baseline and submit an initial SPRS score, then work toward C3PAO certification as contracts require it. The work is cumulative. Evidence collected and documentation developed for self-assessment carries forward to the C3PAO assessment.
We see this path frequently. The key lesson: capture evidence at C3PAO quality from the start, even if your first submission is a self-assessment. Upgrading evidence after the fact is where the real cost lives.
What if I fail the C3PAO assessment?
If you don’t achieve the minimum passing threshold, or if you have NOT MET findings on non-POA&M-eligible requirements, you don’t receive certification. You can remediate and schedule a new assessment. The cost of a second assessment is an additional fee. This is why a thorough readiness review before engaging the C3PAO matters. Find and fix the failures before you’re paying assessment-day rates.
Does a C3PAO help me prepare?
No. Under CMMC ecosystem rules, the C3PAO that assesses you cannot also prepare you. That’s a conflict of interest. Preparation support comes from RPOs (Registered Practitioner Organizations), MSPs, compliance consultants, or compliance platforms. The C3PAO’s role is strictly independent assessment.
How do I find an Authorized C3PAO?
The Cyber AB Marketplace lists all Authorized C3PAOs. Start your search 3 to 6 months before your target assessment date. Ask about experience with organizations of your size and complexity, assessment team composition, and scheduling availability.
Which Path Should You Take?
If your contracts specify self-assessment and you’re confident that’s all you’ll need for the foreseeable future, self-assessment meets the requirement. But do it honestly. A rigorous self-assessment that identifies real gaps is more valuable than a generous one that creates false confidence.
If any of your contracts require or may require C3PAO certification, or if you want maximum competitive flexibility in the DoD market, pursue C3PAO certification. The cost is higher, but an independently verified Level 2 (C3PAO) status generally carries more weight in the DoD acquisition process than a self-reported score.
Either way, the underlying work is the same: implement the 110 controls, build the documentation, collect the evidence, and maintain the compliance posture continuously.
Deep Fathom supports both paths. Our platform manages your gap assessment, documentation, and evidence whether you’re conducting a self-assessment or preparing for C3PAO certification. The same system of record serves both, so if you start with self-assessment and later need C3PAO certification, nothing is rebuilt. Check your readiness or talk to our team.
Related reading:
- How to Prepare for Your CMMC Assessment: A Step-by-Step Guide
- What Is CMMC 2.0? The Complete Guide for Defense Contractors
- CMMC Compliance Costs: What to Budget for Level 2 Certification
- CMMC Assessment Timeline: How Long Does Certification Actually Take?
- What Happens If You Fail Your CMMC Assessment?